API tools faq
paste
Guest User

EM13c TLS Check Script v0.3

a guest
Apr 29th, 2016
28
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 19.44 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. #
  3. # This script should examine your EM13c environment, identify the ports
  4. # each component uses, and check for SSLv2/SSLv3 usage, as well as make
  5. # sure that weak cipher suites get rejected.  It will soon contain a patch
  6. # check currently comparing against the latest recommended patches
  7. # and also flags the use of demo or self-signed certificates.  Further
  8. # enhancements will include checks for the EM13c Java JDK version.
  9. #
  10. # Released  v0.1:  Initial beta release 5 Apr 2016
  11. # Changes   v0.2:  Updated for current patches
  12. # Changes   v0.3:  APR2016 patchset added
  13. #
  14. # From: @BrianPardy on Twitter
  15. #
  16. # Known functional on Linux x86-64, may work on Solaris and AIX.
  17. #
  18. # Run this script as the Oracle EM13c software owner, with your environment
  19. # fully up and running.
  20. #
  21. # Thanks to Dave Corsar, who tested a previous version on Solaris and
  22. # let me know the changes needed to make the script work on Solaris.
  23. #
  24. # Thanks to opa tropa who confirmed AIX functionality on a previous
  25. # version and noted the use of GNU extensions to grep, which I have
  26. # since removed.
  27. #
  28. # Dedicated to our two Lhasa Apsos:
  29. #   Lucy (6/13/1998 - 3/13/2015)
  30. #   Ethel (6/13/1998 - 7/31/2015)
  31. #
  32. #
  33.  
  34. SCRIPTNAME=`basename $0`
  35. PATCHDATE="19 Apr 2016"
  36. OMSHOST=`hostname -f`
  37. VERSION="0.3"
  38. FAIL_COUNT=0
  39. FAIL_TESTS=""
  40.  
  41. RUN_DB_CHECK=0
  42. VERBOSE_CHECKSEC=2
  43.  
  44. HOST_OS=`uname -s`
  45. HOST_ARCH=`uname -m`
  46.  
  47. ORAGCHOMELIST="/etc/oragchomelist"
  48. ORATAB="/etc/oratab"
  49.  
  50. if [[ ! -r $ORAGCHOMELIST ]]; then          # Solaris
  51.     ORAGCHOMELIST="/var/opt/oracle/oragchomelist"
  52. fi
  53.  
  54. if [[ ! -r $ORATAB ]]; then                 # Solaris
  55.     ORATAB="/var/opt/oracle/oratab"
  56. fi
  57.  
  58. if [[ -x "/usr/sfw/bin/gegrep" ]]; then
  59.     GREP=/usr/sfw/bin/gegrep
  60. else
  61.     GREP=`which grep`
  62. fi
  63.  
  64. OMS_HOME=`$GREP -i oms $ORAGCHOMELIST | xargs ls -d 2>/dev/null`
  65.  
  66. if [[ "$OMS_HOME" == "." ]]; then
  67.     OMS_HOME=`cat $ORAGCHOMELIST | head -n 1`
  68. fi
  69.  
  70.  
  71. OPATCH="$OMS_HOME/OPatch/opatch"
  72. OPATCHAUTO="$OMS_HOME/OPatch/opatchauto"
  73. OMSPATCHER="$OMS_HOME/OMSPatcher/omspatcher"
  74. OMSORAINST="$OMS_HOME/oraInst.loc"
  75. ORAINVENTORY=`$GREP inventory_loc $OMSORAINST | awk -F= '{print $2}'`
  76.  
  77. MW_HOME=$OMS_HOME
  78. COMMON_HOME="$MW_HOME/oracle_common"
  79.  
  80. AGENT_HOME=`$GREP -vi REMOVED $ORAINVENTORY/ContentsXML/inventory.xml | $GREP "HOME NAME=\"agent13c" | awk '{print $3}' | sed -e 's/LOC=\"//' | sed -e 's/"//'`
  81.  
  82.  
  83. EM_INSTANCE_BASE=`$GREP GCDomain $MW_HOME/domain-registry.xml | sed -e 's/.*=//' | sed -e 's/\/user_projects.*$//' | sed -e 's/"//'`
  84.  
  85. EMGC_PROPS="$EM_INSTANCE_BASE/em/EMGC_OMS1/emgc.properties"
  86. EMBIP_PROPS="$EM_INSTANCE_BASE/em/EMGC_OMS1/embip.properties"
  87. #OPMN_PROPS="$EM_INSTANCE_BASE/WebTierIH1/config/OPMN/opmn/ports.prop"
  88. #OHS_ADMIN_CONF="$EM_INSTANCE_BASE/WebTierIH1/config/OHS/ohs1/admin.conf"
  89.  
  90. PORT_UPL=`$GREP EM_UPLOAD_HTTPS_PORT $EMGC_PROPS | awk -F= '{print $2}'`
  91. PORT_OMS=`$GREP EM_CONSOLE_HTTPS_PORT $EMGC_PROPS | awk -F= '{print $2}'`
  92. PORT_OMS_JAVA=`$GREP MS_HTTPS_PORT $EMGC_PROPS | awk -F= '{print $2}'`
  93. PORT_NODEMANAGER=`$GREP EM_NODEMGR_PORT $EMGC_PROPS | awk -F= '{print $2}'`
  94. PORT_BIP=`$GREP BIP_HTTPS_PORT $EMBIP_PROPS | awk -F= '{print $2}'`
  95. PORT_BIP_OHS=`$GREP BIP_HTTPS_OHS_PORT $EMBIP_PROPS | awk -F= '{print $2}'`
  96. PORT_ADMINSERVER=`$GREP AS_HTTPS_PORT $EMGC_PROPS | awk -F= '{print $2}'`
  97. #PORT_OPMN=`$GREP '/opmn/remote_port' $OPMN_PROPS | awk -F= '{print $2}'`
  98. #PORT_OHS_ADMIN=`$GREP Listen $OHS_ADMIN_CONF | awk '{print $2}'`
  99. PORT_AGENT=`$AGENT_HOME/bin/emctl status agent | $GREP 'Agent URL' | sed -e 's/\/emd\/main\///' | sed -e 's/^.*://' | uniq`
  100.  
  101. REPOS_DB_CONNDESC=`$GREP EM_REPOS_CONNECTDESCRIPTOR $EMGC_PROPS | sed -e 's/EM_REPOS_CONNECTDESCRIPTOR=//' | sed -e 's/\\\\//g'`
  102. REPOS_DB_HOST=`echo $REPOS_DB_CONNDESC | sed -e 's/^.*HOST=//' | sed -e 's/).*$//'`
  103. REPOS_DB_SID=`echo $REPOS_DB_CONNDESC | sed -e 's/^.*SID=//' | sed -e 's/).*$//'`
  104.  
  105. if [[ "$REPOS_DB_HOST" == "$OMSHOST" ]]; then
  106.     REPOS_DB_HOME=`$GREP "$REPOS_DB_SID:" $ORATAB | awk -F: '{print $2}'`
  107.     REPOS_DB_VERSION=`$REPOS_DB_HOME/OPatch/opatch lsinventory -oh $REPOS_DB_HOME | $GREP 'Oracle Database' | awk '{print $4}'`
  108.  
  109.     if [[ "$REPOS_DB_VERSION" == "11.2.0.4.0" ]]; then
  110.         RUN_DB_CHECK=1
  111.     fi
  112.  
  113.     if [[ "$REPOS_DB_VERSION" == "12.1.0.2.0" ]]; then
  114.         RUN_DB_CHECK=1
  115.     fi
  116.  
  117.     if [[ "$RUN_DB_CHECK" -eq 0 ]]; then
  118.         echo -e "\tSkipping local repository DB patch check, only 11.2.0.4 or 12.1.0.2 supported by this script for now"
  119.     fi
  120. fi
  121.  
  122.  
  123.  
  124. sslcheck () {
  125.     OPENSSL_CHECK_COMPONENT=$1
  126.     OPENSSL_CHECK_HOST=$2
  127.     OPENSSL_CHECK_PORT=$3
  128.     OPENSSL_CHECK_PROTO=$4
  129.  
  130.     OPENSSL_RETURN=`echo Q | openssl s_client -prexit -connect $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT -$OPENSSL_CHECK_PROTO 2>&1 | $GREP Cipher | $GREP -c 0000`
  131.    
  132.    
  133.  
  134.     if [[ $OPENSSL_CHECK_PROTO == "tls1" ]]; then
  135.         echo -en "\tConfirming $OPENSSL_CHECK_PROTO available for $OPENSSL_CHECK_COMPONENT at $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT... "
  136.         if [[ $OPENSSL_RETURN -eq "0" ]]; then
  137.             echo OK
  138.         else
  139.             echo FAILED
  140.             FAIL_COUNT=$((FAIL_COUNT+1))
  141.             FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:$OPENSSL_CHECK_PROTO protocol connection failed"
  142.         fi
  143.     fi
  144.  
  145.     if [[ $OPENSSL_CHECK_PROTO == "ssl2" || $OPENSSL_CHECK_PROTO == "ssl3" ]]; then
  146.         echo -en "\tConfirming $OPENSSL_CHECK_PROTO disabled for $OPENSSL_CHECK_COMPONENT at $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT... "
  147.         if [[ $OPENSSL_RETURN -ne "0" ]]; then
  148.             echo OK
  149.         else
  150.             echo FAILED
  151.             FAIL_COUNT=$((FAIL_COUNT+1))
  152.             FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:$OPENSSL_CHECK_PROTO protocol connection succeeded"
  153.         fi
  154.     fi
  155. }
  156.  
  157. opatchcheck () {
  158.     OPATCH_CHECK_COMPONENT=$1
  159.     OPATCH_CHECK_OH=$2
  160.     OPATCH_CHECK_PATCH=$3
  161.  
  162.     if [[ "$OPATCH_CHECK_COMPONENT" == "ReposDBHome" ]]; then
  163.         OPATCH_RET=`$OPATCH_CHECK_OH/OPatch/opatch lsinv -oh $OPATCH_CHECK_OH | $GREP $OPATCH_CHECK_PATCH`
  164.     else
  165.         OPATCH_RET=`$OPATCH lsinv -oh $OPATCH_CHECK_OH | $GREP $OPATCH_CHECK_PATCH`
  166.     fi
  167.  
  168.     if [[ -z "$OPATCH_RET" ]]; then
  169.         echo FAILED
  170.         FAIL_COUNT=$((FAIL_COUNT+1))
  171.         FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPATCH_CHECK_COMPONENT @ ${OPATCH_CHECK_OH}:Patch $OPATCH_CHECK_PATCH not found"
  172.     else
  173.         echo OK
  174.     fi
  175.  
  176.     test $VERBOSE_CHECKSEC -ge 2 && echo $OPATCH_RET
  177.  
  178. }
  179.  
  180. opatchautocheck () {
  181.     OPATCHAUTO_CHECK_COMPONENT=$1
  182.     OPATCHAUTO_CHECK_OH=$2
  183.     OPATCHAUTO_CHECK_PATCH=$3
  184.  
  185.     OPATCHAUTO_RET=`$OPATCHAUTO lspatches -oh $OPATCHAUTO_CHECK_OH | $GREP $OPATCHAUTO_CHECK_PATCH`
  186.  
  187.     if [[ -z "$OPATCHAUTO_RET" ]]; then
  188.         echo FAILED
  189.         FAIL_COUNT=$((FAIL_COUNT+1))
  190.         FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPATCHAUTO_CHECK_COMPONENT @ ${OPATCHAUTO_CHECK_OH}:Patch $OPATCHAUTO_CHECK_PATCH not found"
  191.     else
  192.         echo OK
  193.     fi
  194.  
  195.     test $VERBOSE_CHECKSEC -ge 2 && echo $OPATCHAUTO_RET
  196.  
  197. }
  198.  
  199. omspatchercheck () {
  200.     OMSPATCHER_CHECK_COMPONENT=$1
  201.     OMSPATCHER_CHECK_OH=$2
  202.     OMSPATCHER_CHECK_PATCH=$3
  203.  
  204.     OMSPATCHER_RET=`$OMSPATCHER lspatches -oh $OMSPATCHER_CHECK_OH | $GREP $OMSPATCHER_CHECK_PATCH`
  205.  
  206.     if [[ -z "$OMSPATCHER_RET" ]]; then
  207.         echo FAILED
  208.         FAIL_COUNT=$((FAIL_COUNT+1))
  209.         FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OMSPATCHER_CHECK_COMPONENT @ ${OMSPATCHER_CHECK_OH}:Patch $OMSPATCHER_CHECK_PATCH not found"
  210.     else
  211.         echo OK
  212.     fi
  213.  
  214.     test $VERBOSE_CHECKSEC -ge 2 && echo $OMSPATCHER_RET
  215.  
  216. }
  217.  
  218. certcheck () {
  219.     CERTCHECK_CHECK_COMPONENT=$1
  220.     CERTCHECK_CHECK_HOST=$2
  221.     CERTCHECK_CHECK_PORT=$3
  222.  
  223.     echo -ne "\tChecking certificate at $CERTCHECK_CHECK_COMPONENT ($CERTCHECK_CHECK_HOST:$CERTCHECK_CHECK_PORT)... "
  224.  
  225.     OPENSSL_SELFSIGNED_COUNT=`echo Q | openssl s_client -prexit -connect $CERTCHECK_CHECK_HOST:$CERTCHECK_CHECK_PORT -tls1 2>&1 | $GREP -ci "self signed certificate"`
  226.  
  227.     if [[ $OPENSSL_SELFSIGNED_COUNT -eq "0" ]]; then
  228.         echo OK
  229.     else
  230.         echo FAILED - Found self-signed certificate
  231.         FAIL_COUNT=$((FAIL_COUNT+1))
  232.         FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$CERTCHECK_CHECK_COMPONENT @ ${CERTCHECK_CHECK_HOST}:${CERTCHECK_CHECK_PORT} found self-signed certificate"
  233.     fi
  234. }
  235.  
  236. democertcheck () {
  237.     DEMOCERTCHECK_CHECK_COMPONENT=$1
  238.     DEMOCERTCHECK_CHECK_HOST=$2
  239.     DEMOCERTCHECK_CHECK_PORT=$3
  240.  
  241.     echo -ne "\tChecking demo certificate at $DEMOCERTCHECK_CHECK_COMPONENT ($DEMOCERTCHECK_CHECK_HOST:$DEMOCERTCHECK_CHECK_PORT)... "
  242.  
  243.     OPENSSL_DEMO_COUNT=`echo Q | openssl s_client -prexit -connect $DEMOCERTCHECK_CHECK_HOST:$DEMOCERTCHECK_CHECK_PORT -tls1 2>&1 | $GREP -ci "issuer=/C=US/ST=MyState/L=MyTown/O=MyOrganization/OU=FOR TESTING ONLY/CN"`
  244.  
  245.     if [[ $OPENSSL_DEMO_COUNT -eq "0" ]]; then
  246.         echo OK
  247.     else
  248.         echo FAILED - Found demonstration certificate
  249.         FAIL_COUNT=$((FAIL_COUNT+1))
  250.         FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$DEMOCERTCHECK_CHECK_COMPONENT @ ${DEMOCERTCHECK_CHECK_HOST}:${DEMOCERTCHECK_CHECK_PORT} found demonstration certificate"
  251.     fi
  252. }
  253.  
  254.  
  255. ciphercheck () {
  256.     OPENSSL_CHECK_COMPONENT=$1
  257.     OPENSSL_CHECK_HOST=$2
  258.     OPENSSL_CHECK_PORT=$3
  259.  
  260.     echo -ne "\tChecking LOW strength ciphers on $OPENSSL_CHECK_COMPONENT ($OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT)..."
  261.  
  262.     OPENSSL_LOW_RETURN=`echo Q | openssl s_client -prexit -connect $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT -tls1 -cipher LOW 2>&1 | $GREP Cipher | uniq | $GREP -c 0000`
  263.  
  264.     if [[ $OPENSSL_LOW_RETURN -eq "0" ]]; then
  265.         echo -e "\tFAILED - PERMITS LOW STRENGTH CIPHER CONNECTIONS"
  266.         FAIL_COUNT=$((FAIL_COUNT+1))
  267.         FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:Permits LOW strength ciphers"
  268.     else
  269.         echo -e "\tOK"
  270.     fi
  271.  
  272.  
  273.     echo -ne "\tChecking MEDIUM strength ciphers on $OPENSSL_CHECK_COMPONENT ($OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT)..."
  274.  
  275.     OPENSSL_MEDIUM_RETURN=`echo Q | openssl s_client -prexit -connect $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT -tls1 -cipher MEDIUM 2>&1 | $GREP Cipher | uniq | $GREP -c 0000`
  276.  
  277.     if [[ $OPENSSL_MEDIUM_RETURN -eq "0" ]]; then
  278.         echo -e "\tFAILED - PERMITS MEDIUM STRENGTH CIPHER CONNECTIONS"
  279.         FAIL_COUNT=$((FAIL_COUNT+1))
  280.         FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:Permits MEDIUM strength ciphers"
  281.     else
  282.         echo -e "\tOK"
  283.     fi
  284.  
  285.  
  286.  
  287.     echo -ne "\tChecking HIGH strength ciphers on $OPENSSL_CHECK_COMPONENT ($OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT)..."
  288.  
  289.     OPENSSL_HIGH_RETURN=`echo Q | openssl s_client -prexit -connect $OPENSSL_CHECK_HOST:$OPENSSL_CHECK_PORT -tls1 -cipher HIGH 2>&1 | $GREP Cipher | uniq | $GREP -c 0000`
  290.  
  291.     if [[ $OPENSSL_HIGH_RETURN -eq "0" ]]; then
  292.         echo -e "\tOK"
  293.     else
  294.         echo -e "\tFAILED - CANNOT CONNECT WITH HIGH STRENGTH CIPHER"
  295.         FAIL_COUNT=$((FAIL_COUNT+1))
  296.         FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$OPENSSL_CHECK_COMPONENT @ $OPENSSL_CHECK_HOST:${OPENSSL_CHECK_PORT}:Rejects HIGH strength ciphers"
  297.     fi
  298.     echo
  299. }
  300.  
  301. wlspatchcheck () {
  302.     WLSDIR=$1
  303.     WLSPATCH=$2
  304.  
  305.     WLSCHECK_RETURN=`( cd $MW_HOME/utils/bsu && $MW_HOME/utils/bsu/bsu.sh -report ) | $GREP $WLSPATCH`
  306.     WLSCHECK_COUNT=`echo $WLSCHECK_RETURN | wc -l`
  307.  
  308.     if [[ $WLSCHECK_COUNT -ge "1" ]]; then
  309.         echo -e "\tOK"
  310.     else
  311.         echo -e "\tFAILED - PATCH NOT FOUND"
  312.         FAIL_COUNT=$((FAIL_COUNT+1))
  313.         FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$WLSDIR:Patch $WLSPATCH not found"
  314.     fi
  315.  
  316.     test $VERBOSE_CHECKSEC -ge 2 && echo $WLSCHECK_RETURN
  317.    
  318. }
  319.  
  320. javacheck () {
  321.     WHICH_JAVA=$1
  322.     JAVA_DIR=$2
  323.  
  324.     JAVACHECK_RETURN=`$JAVA_DIR/bin/java -version 2>&1 | $GREP version | awk '{print $3}' | sed -e 's/"//g'`
  325.  
  326.     if [[ "$JAVACHECK_RETURN" == "1.6.0_95" ]]; then
  327.         echo -e "\tOK"
  328.     else
  329.         #echo -e "\tFAILED - Found version $JAVACHECK_RETURN"
  330.         echo -e "\tFAILED"
  331.         FAIL_COUNT=$((FAIL_COUNT+1))
  332.         FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$WHICH_JAVA Java in ${JAVA_DIR}:Found incorrect version $JAVACHECK_RETURN"
  333.     fi
  334.     test $VERBOSE_CHECKSEC -ge 2 && echo $JAVACHECK_RETURN
  335. }
  336.  
  337. paramcheck () {
  338.     WHICH_PARAM=$1
  339.     WHICH_ORACLE_HOME=$2
  340.     WHICH_FILE=$3
  341.  
  342.     PARAMCHECK_RETURN=`$GREP $WHICH_PARAM $WHICH_ORACLE_HOME/network/admin/$WHICH_FILE | awk -F= '{print $2}' | sed -e 's/\s//g'`
  343.     if [[ "$WHICH_PARAM" == "SSL_VERSION" ]]; then
  344.         if [[ "$PARAMCHECK_RETURN" == "1.0" ]]; then
  345.             echo -e "OK"
  346.         else
  347.             echo -e "FAILED - Found $WHICH_PARAM = $PARAMCHECK_RETURN"
  348.             FAIL_COUNT=$((FAIL_COUNT+1))
  349.             FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$WHICH_PARAM in $WHICH_FILE for home ${WHICH_ORACLE_HOME}:incorrect parameter value"
  350.         fi
  351.         test $VERBOSE_CHECKSEC -ge 2 && echo $PARAMCHECK_RETURN
  352.     fi
  353.  
  354.     if [[ "$WHICH_PARAM" == "SSL_CIPHER_SUITES" ]]; then
  355.         if [[ "$PARAMCHECK_RETURN" == "(SSL_RSA_WITH_AES128_CBC_SHA,SSL_RSA_WITH_AES256_CBC_SHA)" ]]; then
  356.             echo -e "OK"
  357.         else
  358.             echo -e "FAILED - Found $WHICH_PARAM = $PARAMCHECK_RETURN"
  359.             FAIL_COUNT=$((FAIL_COUNT+1))
  360.             FAIL_TESTS="${FAIL_TESTS}\\n$FUNCNAME:$WHICH_PARAM in $WHICH_FILE for home ${WHICH_ORACLE_HOME}:incorrect parameter value"
  361.         fi
  362.         test $VERBOSE_CHECKSEC -ge 2 && echo $PARAMCHECK_RETURN
  363.     fi
  364. }
  365.  
  366.  
  367. ### MAIN SCRIPT HERE
  368.  
  369.  
  370. echo -e "Performing EM13c security checkup version $VERSION on $OMSHOST at `date`.\n"
  371.  
  372. echo "Using port definitions from configuration files "
  373. echo -e "\t/etc/oragchomelist"
  374. echo -e "\t$EMGC_PROPS"
  375. echo -e "\t$EMBIP_PROPS"
  376. echo
  377. echo -e "\tAgent port found at $OMSHOST:$PORT_AGENT"
  378. echo -e "\tBIPublisher port found at $OMSHOST:$PORT_BIP"
  379. echo -e "\tBIPublisherOHS port found at $OMSHOST:$PORT_BIP_OHS"
  380. echo -e "\tNodeManager port found at $OMSHOST:$PORT_NODEMANAGER"
  381. echo -e "\tOMSconsole port found at $OMSHOST:$PORT_OMS"
  382. echo -e "\tOMSproxy port found at $OMSHOST:$PORT_OMS_JAVA"
  383. echo -e "\tOMSupload port found at $OMSHOST:$PORT_UPL"
  384. echo -e "\tWLSadmin found at $OMSHOST:$PORT_ADMINSERVER"
  385. echo
  386. echo -e "\tRepository DB version=$REPOS_DB_VERSION SID=$REPOS_DB_SID host=$REPOS_DB_HOST"
  387.  
  388. if [[ $RUN_DB_CHECK -eq "1" ]]; then
  389.     echo -e "\tRepository DB on OMS server, will check patches/parameters in $REPOS_DB_HOME"
  390. fi
  391.  
  392. #exit 0
  393.  
  394. echo -e "\n(1) Checking SSL/TLS configuration (see notes 1602983.1, 1477287.1, 1905314.1)"
  395.  
  396. echo -e "\n\t(1a) Forbid SSLv2 connections"
  397. sslcheck Agent $OMSHOST $PORT_AGENT ssl2
  398. sslcheck BIPublisher $OMSHOST $PORT_BIP ssl2
  399. sslcheck NodeManager $OMSHOST $PORT_NODEMANAGER ssl2
  400. sslcheck BIPublisherOHS $OMSHOST $PORT_BIP_OHS ssl2
  401. sslcheck OMSconsole $OMSHOST $PORT_OMS ssl2
  402. sslcheck OMSproxy $OMSHOST $PORT_OMS_JAVA ssl2
  403. sslcheck OMSupload $OMSHOST $PORT_UPL ssl2
  404. #sslcheck OPMN $OMSHOST $PORT_OPMN ssl2
  405. sslcheck WLSadmin $OMSHOST $PORT_ADMINSERVER ssl2
  406.  
  407. echo -e "\n\t(1b) Forbid SSLv3 connections"
  408. sslcheck Agent $OMSHOST $PORT_AGENT ssl3
  409. sslcheck BIPublisher $OMSHOST $PORT_BIP ssl3
  410. sslcheck NodeManager $OMSHOST $PORT_NODEMANAGER ssl3
  411. sslcheck BIPublisherOHS $OMSHOST $PORT_BIP_OHS ssl3
  412. sslcheck OMSconsole $OMSHOST $PORT_OMS ssl3
  413. sslcheck OMSproxy $OMSHOST $PORT_OMS_JAVA ssl3
  414. sslcheck OMSupload $OMSHOST $PORT_UPL ssl3
  415. #sslcheck OPMN $OMSHOST $PORT_OPMN ssl3
  416. sslcheck WLSadmin $OMSHOST $PORT_ADMINSERVER ssl3
  417.  
  418. echo -e "\n\t(1c) Permit TLSv1 connections"
  419. sslcheck Agent $OMSHOST $PORT_AGENT tls1
  420. sslcheck BIPublisher $OMSHOST $PORT_BIP tls1
  421. sslcheck NodeManager $OMSHOST $PORT_NODEMANAGER tls1
  422. sslcheck BIPublisherOHS $OMSHOST $PORT_BIP_OHS tls1
  423. sslcheck OMSconsole $OMSHOST $PORT_OMS tls1
  424. sslcheck OMSproxy $OMSHOST $PORT_OMS_JAVA tls1
  425. sslcheck OMSupload $OMSHOST $PORT_UPL tls1
  426. #sslcheck OPMN $OMSHOST $PORT_OPMN tls1
  427. sslcheck WLSadmin $OMSHOST $PORT_ADMINSERVER tls1
  428.  
  429. echo -e "\n(2) Checking supported ciphers at SSL/TLS endpoints (see notes 1477287.1, 1905314.1, 1067411.1)"
  430. ciphercheck Agent $OMSHOST $PORT_AGENT
  431. ciphercheck BIPublisher $OMSHOST $PORT_BIP
  432. ciphercheck NodeManager $OMSHOST $PORT_NODEMANAGER
  433. ciphercheck BIPublisherOHS $OMSHOST $PORT_BIP_OHS
  434. ciphercheck OMSconsole $OMSHOST $PORT_OMS
  435. ciphercheck OMSproxy $OMSHOST $PORT_OMS_JAVA
  436. ciphercheck OMSupload $OMSHOST $PORT_UPL
  437. #ciphercheck OPMN $OMSHOST $PORT_OPMN
  438. ciphercheck WLSadmin $OMSHOST $PORT_ADMINSERVER
  439.  
  440. echo -e "\n(3) Checking self-signed and demonstration certificates at SSL/TLS endpoints (see notes 1367988.1, 1399293.1, 1593183.1, 1527874.1, 123033.1, 1937457.1)"
  441. certcheck Agent $OMSHOST $PORT_AGENT
  442. democertcheck Agent $OMSHOST $PORT_AGENT
  443. certcheck BIPublisher $OMSHOST $PORT_BIP
  444. democertcheck BIPublisher $OMSHOST $PORT_BIP
  445. certcheck NodeManager $OMSHOST $PORT_NODEMANAGER
  446. democertcheck NodeManager $OMSHOST $PORT_NODEMANAGER
  447. certcheck BIPublisherOHS $OMSHOST $PORT_BIP_OHS
  448. democertcheck BIPublisherOHS $OMSHOST $PORT_BIP_OHS
  449. certcheck OMSconsole $OMSHOST $PORT_OMS
  450. democertcheck OMSconsole $OMSHOST $PORT_OMS
  451. certcheck OMSproxy $OMSHOST $PORT_OMS_JAVA
  452. democertcheck OMSproxy $OMSHOST $PORT_OMS_JAVA
  453. certcheck OMSupload $OMSHOST $PORT_UPL
  454. democertcheck OMSupload $OMSHOST $PORT_UPL
  455. #certcheck OPMN $OMSHOST $PORT_OPMN
  456. #democertcheck OPMN $OMSHOST $PORT_OPMN
  457. certcheck WLSadmin $OMSHOST $PORT_ADMINSERVER
  458. democertcheck WLSadmin $OMSHOST $PORT_ADMINSERVER
  459.  
  460.  
  461. echo -e "\n(4) Checking EM13c Oracle home patch levels against $PATCHDATE baseline (see notes 1664074.1, 1900943.1, 822485.1, 1470197.1, 1967243.1)"
  462.  
  463. if [[ $RUN_DB_CHECK -eq 1 ]]; then
  464.  
  465.     if [[ "$REPOS_DB_VERSION" == "12.1.0.2.0" ]]; then
  466.         #echo -ne "\n\t(4a) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) PSU 12.1.0.2.160119 (JAN2016) (21948354)... "
  467.         #opatchcheck ReposDBHome $REPOS_DB_HOME 21948354
  468.  
  469.         echo -ne "\n\t(4a) *UPDATED* OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) PSU 12.1.0.2.160419 (APR2016) (22291127)... "
  470.         opatchcheck ReposDBHome $REPOS_DB_HOME 22291127
  471.  
  472.         #echo -ne "\n\t(4a) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) ORACLE JAVAVM COMPONENT 12.1.0.2.160119 DATABASE PSU (JAN2016) (22139226)... "
  473.         #opatchcheck ReposDBHome $REPOS_DB_HOME 22139226
  474.  
  475.         echo -ne "\n\t(4a) *UPDATED* OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) ORACLE JAVAVM COMPONENT 12.1.0.2.160419 DATABASE PSU (APR2016) (22674709)... "
  476.         opatchcheck ReposDBHome $REPOS_DB_HOME 22674709
  477.     fi
  478.  
  479.     echo -ne "\n\t(4b) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) sqlnet.ora SSL_VERSION parameter (1545816.1)... "
  480.     paramcheck SSL_VERSION $REPOS_DB_HOME sqlnet.ora
  481.  
  482.     echo -ne "\n\t(4b) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) sqlnet.ora SSL_CIPHER_SUITES parameter (1545816.1)... "
  483.     paramcheck SSL_CIPHER_SUITES $REPOS_DB_HOME sqlnet.ora
  484.  
  485.     echo -ne "\n\t(4b) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) listener.ora SSL_VERSION parameter (1545816.1)... "
  486.     paramcheck SSL_VERSION $REPOS_DB_HOME listener.ora
  487.  
  488.     echo -ne "\n\t(4b) OMS REPOSITORY DATABASE HOME ($REPOS_DB_HOME) listener.ora SSL_CIPHER_SUITES parameter (1545816.1)... "
  489.     paramcheck SSL_CIPHER_SUITES $REPOS_DB_HOME listener.ora
  490. fi
  491.  
  492. echo -ne "\n\t(4c) OMS CHAINED AGENT HOME ($AGENT_HOME) EM-AGENT BUNDLE PATCH 13.1.0.0.160331 (22823268)... "
  493. opatchcheck Agent $AGENT_HOME 22823268
  494.  
  495. echo -ne "\n\t(4c) OMS CHAINED AGENT HOME ($AGENT_HOME) EM DB PLUGIN BUNDLE PATCH 13.1.1.0.160331 MONITORING (22920712)... "
  496. opatchcheck Agent $AGENT_HOME 22920712
  497.  
  498. echo -ne "\n\t(4c) OMS CHAINED AGENT HOME ($AGENT_HOME) EM FMW PLUGIN BUNDLE PATCH 13.1.1.0.160331 MONITORING (22936491)... "
  499. opatchcheck Agent $AGENT_HOME 22936491
  500.  
  501. echo -ne "\n\t(4c) OMS CHAINED AGENT HOME ($AGENT_HOME) EM SI PLUGIN BUNDLE PATCH 13.1.1.0.160331 MONITORING (22823189)... "
  502. opatchcheck Agent $AGENT_HOME 22823189
  503.  
  504. echo -ne "\n\t(4d) OMS HOME ($OMS_HOME) ENTERPRISE MANAGER FOR OMS PLUGINS 13.1.1.0.160331 (22920724)... "
  505. omspatchercheck OMS $OMS_HOME 22920724
  506.  
  507. echo -ne "\n\t(43) *NEW* ($MW_HOME) WLS PATCH SET UPDATE 12.1.3.0.160419 (22505404)... "
  508. opatchcheck WLS $MW_HOME 22505404
  509.  
  510. echo
  511. echo
  512.  
  513. if [[ $FAIL_COUNT -gt "0" ]]; then
  514.     echo "Failed test count: $FAIL_COUNT - Review output"
  515.     test $VERBOSE_CHECKSEC -ge 1 && echo -e $FAIL_TESTS
  516. else
  517.     echo "All tests succeeded."
  518. fi
  519.  
  520. echo
  521. echo "Visit https://pardydba.wordpress.com/2016/04/05/securing-oracle-enterprise-manager-13c/ for the latest version."
  522. echo
  523.  
  524. exit
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!